How do you turn on password hashing (SSHA) in openLDAP

Sevil Natas picture Sevil Natas · Jul 31, 2012 · Viewed 39.6k times · Source

For the life of me, I cannot seem to find this anywhere and if anyone can even just give me a link I would be very appreciative.

We are trying to turn on SSHA hashing in openLDAP. By default it stores passwords in plaintext, which I think is criminal but hey I am an AD guy so what do I know. But you would think that they would make it easy to find the information needed to turn on hashing if you so choose. And wouldn't you choose?

Answer

Najmuddin picture Najmuddin · Jul 31, 2012

You can use 'password-hash ' to change the hashing algorithm, the default one is SSHA (not clear text).

Note that, slapd uses the above only if the password sent by clients are in plain text, if your client is sending a hashed password, it'll be stored as it is.

for eg: with pam_ldap, use pam_password exop (or clear)

how is password strength tests run at the server if the password is coming in hashed and I know that is a feature openLDAP touts?

If you sent hashed passwords, slapd cant perform strength tests, so the clients must sent passwords in clear text(ppolicy has option to accept/reject hashed password).

Note:

  1. make sure your clients use ssl/tls (so the passwds are not sent in clear text)
  2. userpassword attribute contains special characters ({}) so you have to do a base64 -d to identify the hashing algorithm used.

eg: normally the attributes are returned in the following format (:: indicate the result is base64 encoded)

userPassword:: e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ=
 =

$ echo e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ==|openssl base64 -d
{SSHA}B54UsfAhI7WPgqol5RCYyDu3NUjkYnUXXWicng==